Google Git
Sign in
qemu / qemu / b946434f2659a182afc17e155be6791ebfb302eb
commitb946434f2659a182afc17e155be6791ebfb302eb[log] [tgz]
authorGerd Hoffmann <kraxel@redhat.com>Tue Aug 25 07:36:36 2020 +0200
committerGerd Hoffmann <kraxel@redhat.com>Mon Aug 31 08:23:39 2020 +0200
treed0b25ff035e1bfa46b0349e8dfdea112c9eaa49c
parent202d69a715a4b1824dcd7ec1683d027ed2bae6d3 [diff]
usb: fix setup_len init (CVE-2020-14364)

Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com
1 file changed
tree: d0b25ff035e1bfa46b0349e8dfdea112c9eaa49c
  1. .github/
  2. .gitlab-ci.d/
  3. accel/
  4. audio/
  5. authz/
  6. backends/
  7. block/
  8. bsd-user/
  9. chardev/
  10. contrib/
  11. crypto/
  12. default-configs/
  13. disas/
  14. docs/
  15. dump/
  16. fpu/
  17. fsdev/
  18. gdb-xml/
  19. hw/
  20. include/
  21. io/
  22. libdecnumber/
  23. linux-headers/
  24. linux-user/
  25. migration/
  26. monitor/
  27. nbd/
  28. net/
  29. pc-bios/
  30. plugins/
  31. po/
  32. python/
  33. qapi/
  34. qga/
  35. qobject/
  36. qom/
  37. replay/
  38. roms/
  39. scripts/
  40. scsi/
  41. softmmu/
  42. storage-daemon/
  43. stubs/
  44. target/
  45. tcg/
  46. tests/
  47. tools/
  48. trace/
  49. ui/
  50. util/
  51. capstone
  52. dtc
  53. meson
  54. slirp
  55. .cirrus.yml
  56. .dir-locals.el
  57. .editorconfig
  58. .exrc
  59. .gdbinit
  60. .gitignore
  61. .gitlab-ci.yml
  62. .gitmodules
  63. .gitpublish
  64. .mailmap
  65. .patchew.yml
  66. .readthedocs.yml
  67. .shippable.yml
  68. .travis.yml
  69. block.c
  70. blockdev-nbd.c
  71. blockdev.c
  72. blockjob.c
  73. bootdevice.c
  74. Changelog
  75. CODING_STYLE.rst
  76. configure
  77. COPYING
  78. COPYING.LIB
  79. cpus-common.c
  80. device_tree.c
  81. disas.c
  82. dma-helpers.c
  83. exec-vary.c
  84. exec.c
  85. gdbstub.c
  86. gitdm.config
  87. hmp-commands-info.hx
  88. hmp-commands.hx
  89. iothread.c
  90. job-qmp.c
  91. job.c
  92. Kconfig
  93. Kconfig.host
  94. LICENSE
  95. MAINTAINERS
  96. Makefile
  97. Makefile.objs
  98. memory_ldst.c.inc
  99. meson.build
  100. meson_options.txt
  101. module-common.c
  102. os-posix.c
  103. os-win32.c
  104. qdev-monitor.c
  105. qemu-bridge-helper.c
  106. qemu-edid.c
  107. qemu-img-cmds.hx
  108. qemu-img.c
  109. qemu-io-cmds.c
  110. qemu-io.c
  111. qemu-keymap.c
  112. qemu-nbd.c
  113. qemu-options-wrapper.h
  114. qemu-options.h
  115. qemu-options.hx
  116. qemu-seccomp.c
  117. qemu.nsi
  118. qemu.sasl
  119. README.rst
  120. replication.c
  121. replication.h
  122. rules.mak
  123. thunk.c
  124. tpm.c
  125. trace-events
  126. VERSION
  127. version.rc
  128. version.texi.in